cla-assistant[bot]
commented
3 months ago
All committers have signed the CLA.
Open swaldmann opened 3 months ago
cla-assistant[bot]
commented
3 months ago
All committers have signed the CLA.
yutaoj
commented
2 months ago this parameter "--production" is still used by Node v14 .
swaldmann
commented
2 months ago Node 14 (and 16) are already end-of-life though. They shouldn't be used any more, as they won't even get patched. IMO you should drop support for them, as in the worst case this enables stakeholders using those outdated versions.
Even if Node 14 support has to be kept for some reason there should be a conditional to use the --omit=dev version for later Node versions. We really shouldn't show warnings for standard projects using a current LTS version just to accommodate to some version deprecated for years.
jerome-benoit
commented
2 months ago Even if Node 14 support has to be kept for some reason there should be a conditional to use the
--omit=devversion for later Node versions. We really shouldn't show warnings for standard projects using a current LTS version just to accommodate to some version deprecated for years.
If you expect that repo to follow the most basic best current security practices or even SAP security policies, you will face disillusionment :) I've tried to push a bunch of security compliance PRs a year ago, most of them have been merged/taken over.
Dunno why such a critical piece in the SAP software supply chain can be left with known critical CVEs such as https://security-tracker.debian.org/tracker/CVE-2024-2961 several months ... or years.
Description
This PR replaces all occurrences of
--productionin annpmcontext with--omit=dev.Currently you get these warnings when deploying MTA projects with the standard
npmbuilder: "npm warn config production Use--omit=devinstead"The
omitoption was introduced withnpm8, so it's available in all supported versions.Checklist